Compatible trust in a computing device

ABSTRACT

A method and apparatus for executing a first executable code image having a first version number into a memory of a device in an attempt to establish an operating environment of the device are described. The first executable code image retrieves a second version number from the second executable code image after successfully authenticating the second executable code image. If the first version number and the second version number do not satisfy a predetermined relationship, the second executable code image is prevented from being loaded by the first executable code image.

FIELD OF INVENTION

The present invention relates generally to electronic security. Moreparticularly, this invention relates to booting a computing devicesecurely.

BACKGROUND

As more and more computing devices are being used in people's dailylife, security has become a widespread concern for users and contentproviders. Viruses, worms, Trojan horses, identity theft, software andmedia content piracy, and extortion using threats of data destructionare rampant. Usually, these attacks involve installing and executingmalicious software codes to expose access to device resources that wouldotherwise be private to the system, the content provider, the user or anapplication.

For example, a hacker program when running in consumer computing devicesdeveloped to play audio/video content, such as Hollywood movies ormusic, could potentially allow the cracking of the encryption used tosecure the A/V content. Therefore, high levels of security are usuallyrequired for such devices.

An operating system may provide some security features to guard againstsuch attacks. However, the security features of an operating systemoften fail to keep up with new attacks occurring on a daily basis.Moreover, when booting a computing device, security features may not yetbe initialized and are vulnerable to bypass and/or tampering.

Another way to guard against these attacks is to completely seal acomputing device from installing and/or running any additional softwareafter shipped out from manufacturers. Such a strict measure, however,severely limits the capabilities and the flexibilities of the underlyingcomputing device. Not only does it make upgrading a computing devicecostly and difficult, it is not able to take advantage of increasingnumber of applications which do require downloading and running softwarecodes from outside the device. In addition, the rapid technologyadvancement usually renders the applications or functionalitiesoriginally built inside a computing device obsolete within a very shortperiod of time.

Therefore, current security measures do not deliver a robust solution toprotect applications and content inside a computing device, while at thesame time providing the flexibility to update the software and orfirmware for the device.

SUMMARY OF THE DESCRIPTION

A method and apparatus for executing a first executable code imagehaving a first version number into a memory of a device in an attempt toestablish an operating environment of the device are described herein.The first executable code image retrieves a second version number fromthe second executable code image after successfully authenticating thesecond executable code image. If the first version number and the secondversion number do not satisfy a predetermined relationship, the secondexecutable code image is prevented from being loaded by the firstexecutable code image.

In an alternative embodiment, a plurality of executable code images areloaded in sequence in order to establish an operating environment of aportable device. A current executable code image is configured toauthenticate a next executable code image in the sequence. Uponsuccessfully authenticating the next executable code image, the currentcode image examines a version of the next executable code image. If theversion of the next executable code image does not satisfy apredetermined relationship with respect to a version of the currentexecutable code image, the next executable code image is prevented frombeing loaded.

In yet another alternative embodiment, a first version of a firstoperating environment executed by a first processor of a device isexamined in view of a second version of a second operating environmentexecuted by a second processor in response to a service request from thefirst operating environment for a service provided by the secondoperating environment. The service request is denied if the firstversion and the second version do not satisfy a predeterminedrelationship.

Other features of the present invention will be apparent from theaccompanying drawings and from the detailed description that follows.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention is illustrated by way of example and notlimitation in the figures of the accompanying drawings, in which likereferences indicate similar elements and in which:

FIG. 1 is a block diagram illustrating one embodiment of systemcomponents for secure booting;

FIG. 2 is a block diagram illustrating one embodiment of systemcomponents executing secure booting;

FIG. 3 is a flow diagram illustrating one embodiment of a process toperform secure booting;

FIG. 4 is a flow diagram illustrating one embodiment of a process togenerate a signature from a code image based on an UID (UniqueIdentifier) and a seed string;

FIG. 5 is a block diagram illustrating one embodiment of networkconnections for a host to securely boot a device;

FIG. 6 is a flow diagram illustrating an embodiment of a process tosecurely recover an operating environment from a host to a device;

FIG. 7 is a state diagram illustrating an embodiment of a process toperform minimum secure recovery of an operating environment from a hostto a device;

FIG. 8 is a flow diagram illustrating one embodiment of a process tosecurely restore software components from a host to a device;

FIG. 9 is a flow diagram illustrating one embodiment of a process tosecurely update an application from a host to a device;

FIG. 10 is a flow diagram illustrating one embodiment of a process forexecuting unverified code image;

FIG. 11 is a block diagram illustrating one embodiment of systemcomponents for verifying compatible trusts in secure system booting;

FIG. 12 is a block diagram illustrating one embodiment of systemcomponents for validating trust compatibility with an operating coderunning in a separate processor;

FIG. 13 is a flow diagram illustrating one embodiment of a process torevoke a code image without a compatible trust;

FIG. 14 is a flow diagram illustrating one embodiment of a process torestore an operating environment to a device according to a compatibletrust;

FIG. 15 is a flow diagram illustrating one embodiment to verifycompatible trust when providing services to operating environments inseparate processors;

FIG. 16 is a state diagram illustrating an embodiment of a process toperform continued revocation of trusted systems based on epoch numbers;

FIG. 17 illustrates one example of a typical computer system which maybe used in conjunction with the embodiments described herein.

FIG. 18 shows an example of a data processing system which may be usedwith one embodiment of the present invention

DETAILED DESCRIPTION

A method and an apparatus for secure booting of a computing device aredescribed herein. In the following description, numerous specificdetails are set forth to provide thorough explanation of embodiments ofthe present invention. It will be apparent, however, to one skilled inthe art, that embodiments of the present invention may be practicedwithout these specific details. In other instances, well-knowncomponents, structures, and techniques have not been shown in detail inorder not to obscure the understanding of this description.

Reference in the specification to “one embodiment” or “an embodiment”means that a particular feature, structure, or characteristic describedin connection with the embodiment can be included in at least oneembodiment of the invention. The appearances of the phrase “in oneembodiment” in various places in the specification do not necessarilyall refer to the same embodiment.

The processes depicted in the figures that follow, are performed byprocessing logic that comprises hardware (e.g., circuitry, dedicatedlogic, etc.), software (such as is run on a general-purpose computersystem or a dedicated machine), or a combination of both. Although theprocesses are described below in terms of some sequential operations, itshould be appreciated that some of the operations described may beperformed in different order. Moreover, some operations may be performedin parallel rather than sequentially.

The term “host” and the term “device” are intended to refer generally todata processing systems rather than specifically to a particular formfactor for the host versus a form factor for the device.

In one embodiment, secure booting a device may be designed to ensurecritical resources within the device will be protected in an operatingenvironment. In the mean time, secure booting a device may provide aflexibility to allow software running inside the device to be updatedand installed under different policies and procedures without requiringunnecessary management, material and/or performance costs. In oneembodiment, the security of booting a device may be performed by thecode and data stored inside a secure storage area such as a ROM (ReadOnly Memory), also referred to as a secure ROM, integrated togetherwithin the device. The content of a secure ROM may be stored during amanufacturing stage of the device. The secure ROM may be associated witha UID (Unique Identifier) of the device, which uniquely identifies thedevice. A trust of a software code running in the device may be rootedfrom a code image signed through the secure ROM based on the UID.

According to one embodiment, the secure ROM of a device may include afingerprint of a root certificate of a trusted entity. A code imagecertified through the trusted entity may be trusted to be executed inthe device according to a certification process via the secure ROM basedon the fingerprint. In one embodiment, secure booting the device mayrecover trusted software codes when coupled with the trusted entityaccording to the secure ROM. The secure ROM may extend a trust to a codeimage certified through the fingerprint based on the device UID stored.In one embodiment, the secure ROM may allow application softwarerestoration by certifying a code image downloaded from an externalconnection. In another embodiment, the secure ROM may force cleaning upuser data stored inside the device by a trusted software code downloadedthrough external connection.

FIG. 1 is a block diagram illustrating one embodiment of systemcomponents for secure booting. System 100 may reside in one or morechips inside a device. In one embodiment, system 100 may include a chip105 coupled with a memory component 103. Chip 105 may also include a RAM(Random Access Memory) component 111, such as an SRAM (Static RandomAccess Memory) or an EDRAM (Embedded Dynamic Random Access Memory). Acode image may be loaded into the memory component 103 prior to beingexecuted by the device. When executed, a code image may enable a userapplication, a system application, and/or an operating environment (e.g.operating system) for the device that supports the user or systemapplication. In one embodiment, memory component 103 includes DDR(Double Data Rate) memory. Chip 105 may include a ROM 113 storing codes115 and associated data 117. Codes 115 may include implementation of SHA(Secure Hashing Algorithm) hashing functions such as cryptographic hashfunctions SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. Additionally,codes 115 may include implementations of data encrypting algorithms suchas AES (Advanced Encryption Standard) encryption. In one embodiment,codes 115 may cause hardware initialization for the device to support aconnection or communication interface such as USB (Universal SerialBus). Codes 115 may include instructions to change the clock rate of thedevice. Note that throughout this application, SHA and AES are utilizedas examples for the illustration purposes only; it will be appreciatedthat other hashing and/or encryption techniques may also be utilized.

In one embodiment, codes 115 may cause loading a code image into adevice memory such as memory component 103 or RAM 111. A code image maybe loaded from a storage component 109 coupled with the chip 105. Thestorage component 109 may be a flash memory, such as a NAND flash, a NORflash, or other mass storage (e.g., hard disk) components. In anotherembodiment, a code image may be loaded though a connection interface 101from a source external to the device. The connection interface 101 maybe based on a USB connection, an Ethernet connection, or a wirelessnetwork connection (e.g., IEEE 802.1x), etc. In one embodiment, codes115 may cause storing a code image from a device memory into the storagecomponent 109 after verifying the code image includes only trustedcodes.

Before the device may start executing the code image loaded in thedevice memory, codes 115 may perform verification operations on theloaded code image to ensure the code image could be trusted. In oneembodiment, codes 115 may verify a loaded code image according to dataincluded in the chip 105, such as the data section 117 inside the ROM, aUID 119 and/or a GID (Global Identifier) 121. UIDs 119 may be unique foreach device. In one embodiment, all devices are associated with a singleGID 121. In one embodiment, a GID may be used to encrypt a code image toprevent code inspection. Data section 117 of the ROM 115 may store afingerprint 123 based on a signature from a trusted entity such as apublic key certificate. In one embodiment, separate devices may includefingerprints 123 based on the same trusted entity.

FIG. 2 is a block diagram illustrating one embodiment of systemcomponents executing secure booting. System 100 may load an LLB (LowLevel Boot) code image 229 from storage component 109 into RAM 111 asLLB 225. LLB 225 may be related to long term power management of thesystem 100. In one embodiment, LLB 225 may include an identification ofthe version of system 100. Code image LLB 225 may be loaded based onexecution of codes 115. In one embodiment, code image LLB 229 may bestored from RAM 111 based on code image LLB 225 via execution of codes115.

Code image iBoot 227, according to one embodiment, may be loaded intomemory component 111 from storage 109 based on code image iBoot 231according to execution of LLB 225. Code image iBoot 231 may causehardware initialization for an operating system that provides anoperating environment for the device housing system 100. A device mayenter an operating environment after a successful booting. An operatingenvironment may support various user and/or system applications runningin the device. In one embodiment, code image iBoot 231 may enable massstorage components of the device, initialize graphic components for userinterface, and/or activate screen components for the device, etc. Codeimage iBoot 231 may be stored from RAM 111 based on code image iBoot 227via execution of code image LLB 225.

In one embodiment, code image Kernelcache 223 may be loaded from storage109 to memory 103 based on code image Kernelcache 233. Code imageKernelcache 233 may be part of the kernel of an operating system tosupport the operating environment for the device. In one embodiment,code image Kernelcache 223 causes a kernel and operating systemcomponents 235 to be loaded into memory 103 from storage 109. Operatingsystem components may include user applications, libraries, graphic userinterface components, and/or user data 235. User data may include music,images, videos or other digital content associated with a user of thedevice. For example, such user data may be DRM (digital rightsmanagement) compliant data having restricted usages. Code imageKernelcache 223 may enable loading the kernel and the operating systemcomponents 235 into memory 103. In one embodiment, code imageKernelcache 223 may cause a verification process to ensure the kernel istrusted before being executed in memory 103. In another embodiment, codeimage Kernelcache 223 may cause a verification process to ensure anoperating system component 235 is trusted before being executed inmemory 103. Code image Kernelcache 223 may be executed to determine anoperating system component 235 is trusted based on UID 119 orfingerprints 123. In one embodiment, code image Kernelcache 223 maycause decryption of an operation system component 235 in memory 103according to GID 121. In one embodiment, code image Kernelcache 223 maybe executed to store operating system components 235 from memory 103into storage 109. Code image Kernelcache 223 may enable encryptingoperating system components 235 before being stored in the storage 109.

In one embodiment, UID 119 may be accessible to some operating systemcomponents running in a privileged mode. The kernel of the operatingsystem may deny or approve an application to access UID 119 by anapplication depending on whether the application is running in aprivileged mode. In one embodiment, the kernel of the operating systemmay determine whether an application can be run in a privileged modebased on whether the corresponding code image of the applicationincludes a properly signed signature. A DRM (Digital Right Management)system may be running in a privileged mode to control access to userdata of the operating system components 235 based on UID 119. Anapplication may access user data through a DRM system. In someembodiments, network utilities of the operation system may beprivileged. Network utilities may enable the device to interconnect withoutside resources though an interface chip, such as base band chip. Inanother embodiment, virus protection software may be provided by theoperating system to run in a privileged mode.

Thus, any software components that will be running within the systemmust be verified or authenticated prior to the execution, unless thesoftware components satisfy certain predetermined conditions (e.g.,provided by a trust vendor or during certain circumstances such asmanufacturing of the device or testing of the software components). Inone embodiment, the settings of a secure storage area in the system maybe associated with a predetermined condition. As a result, any data suchas DRM compliant data would not be accessed or compromised withoutproper verification or authentication.

FIG. 3 is a flow diagram illustrating one embodiment of a process toperform secure booting. For example, process 300 may be performed bysystem 100 of FIG. 1. During a booting process of a device, according toone embodiment, the processing logic of process 300 may locate a codeimage from within the device by executing instructions in a ROM chip atblock 301. The instructions may be read from a code section of the ROMchip as in codes 115 of FIG. 1. The code image may be stored in a memorycomponent or a storage component of the device. A memory component maybe a RAM. A storage component may be a flash memory or a mass storagedevice attached to the device. In one embodiment, if the code imagecould not be located, the booting process may be interrupted and thedevice may enter a DFU (Device Firmware Upgrade) mode at block 309. Ifthe code image is located successfully, according to one embodiment, theprocessing logic of process 300 may load the code image into a memory atblock 303. In another embodiment, the code image may already been loadedin the memory when located.

At block 305, according to one embodiment, the processing logic ofprocess 300 may verify whether the loaded code image could be trustedbased on a UID associated with the device such as UID 119 of FIG. 1. Theprocessing logic of process 300 may extract a header value from the codeimage. The location of the header value inside the code image may bepredetermined. In one embodiment, the header value may be extractedbased on a preset attribute in an attribute value pair inside the codeimage. The header value may include a signature value signed over thecode image according to the UID of the device through well-known hashingand encryption algorithms. In one embodiment, the processing logic ofprocess 300 derives another signature value from the code imageaccording to the UID through the same well-known hashing and encryptionalgorithms at block 305. The processing logic of process 300 may comparethe derived signature value and the extracted signature value to verifywhether the code image is trusted. In one embodiment, the verificationmay be successful if the derived signature value and the extractedsignature match with each other. Otherwise, the verification may fail.If the verification is not successful, the processing logic of process300 may cause the device to enter a DFU mode at block 309. In oneembodiment, the processing logic of process 300 may remove the codeimage from the memory before the device enters the DFU mode at block309.

If the verification is successful, the processing logic of process 300may execute the code image at block 311. In one embodiment, the codeimage may be an LLB, an iBoot or a Kernelcache as shown in 225, 227 and223 in FIG. 2. The processing logic of process 300 may perform bootingoperations for the device at block 311. Booting operations may includeproduct identifications, starting device power management, enabling massstorage components, initializing graphic components for user interface,activating screen components and/or device hardware initialization, etc.In one embodiment, booting operations may include loading an operatingsystem to the memory including a kernel and certain operating systemcomponents such as shown in 235 of FIG. 2. The processing logic ofprocess 300 may attach a trust indicator to a trusted code image in thememory to indicate a successful verification. In one embodiment, a codeimage associated with a trust indicator located in a memory may beexecuted as a trusted code without verification. At block 313, theprocessing logic of process 300 may determine if the device iscompletely booted. If the device is completed booted, the device maybecome operational and enter a normal operational mode at block 315. Inone embodiment, a Kernelcache 227 may start a user application runningin a user mode after the device enters a normal operation. Anapplication running in a user mode may not access device hardwarerelated information such as UID 119 and GID 121 of FIG. 2. The devicemay enter a DFU mode if a booting operation fails at block 313.

At block 317, according to one embodiment, the booting process maycontinue when the processing logic of process 300 determines the devicebooting process is not complete at block 313. The processing logic ofprocess 300 may locate another code image at block 313 based onexecuting the current code image. In one embodiment, executing codeimage LLB may locate code image iBoot as shown in FIG. 2. In anotherembodiment, executing code image iBoot may locate code image Kernelcacheas shown in FIG. 2. In some embodiments, executing code imageKernelcache may locate code images including the kernel and operatingsystem components as shown in FIG. 2. The processing logic of process300 may loop back to block 319 to proceed on the booting processaccording to the result of locating the next code image at block 317.

FIG. 4 is a flow diagram illustrating one embodiment of a process togenerate a signature from a code image based on an UID and a seedstring. For example, process 400 may be performed by a system as shownin FIG. 1. In one embodiment, the processing logic of process 400performs a hashing operation 409 over a code image 411, such as LLB 225,iBoot 227 or Kernelcache 223 shown in FIG. 2. The hashing operation maybe based on SHA (Secure Hash Algorithm) hashing functions such ascryptographic hash functions SHA-1, SHA-224, SHA-256, SHA-384, andSHA-512. In one embodiment, hashing operation 409 may produce a keystring 413. Key string 413 may have a length of 20 bytes. In oneembodiment, the processing logic of process 400 may perform anencrypting operation at block 403 to generate a signature 405 based onkey string 413, UID 401 and seed string 407 associated with a device. Inone embodiment, the encrypting operation may be based on an AES(Advanced Encryption Standard) algorithm at block 403. The processinglogic of process 400 may truncate key string 413 at block 403, such asdiscarding 4 out of 20 bytes of key string 413. In one embodiment, theAES algorithm at block 403 is based on 16 bytes. UID 401 may be storedwithin the device as UID 119 shown in FIG. 1. Seed string 407 may begenerated through a seed generating function based on the device. In oneembodiment, seed string 407 may be the same each time the seedgenerating function is applied for the same device.

FIG. 5 is a block diagram illustrating one embodiment of networkconnections for a host to securely boot a device according to the systemof FIG. 1. In one embodiment, a device may enter a DFU mode for bootingby connecting to a host. A device may be forced to enter a DFU modebased on an initiation from a user. In one embodiment, a device mayenter a DFU mode in response to a user performing a predetermined actionsuch as pressing a button of the device. A user may request a device toenter a DFU mode for performing system management tasks for the device,including, for example, cleaning up user data, upgrading hardwaredrivers, upgrading user applications, and/or installing newapplications, etc. A device may automatically enter a DFU mode when thedevice fails to boot in at least one stage of the booting sequence, suchas shown at block 309 of FIG. 3. Alternatively, a device may enter a DFUmode when the operating system encounters an abnormality during normaloperation such as when a corrupted data or damaged software componentsare detected.

According to one embodiment, network 500 may include a device 501coupled with a host 503. Device 501 may be a media player such as, forexample, an iPod from Apple Inc. running restoring daemon application torestore operating system components from the coupled host 503. Device501 may be coupled with host 503 through a connection interfacesupporting TCP/IP protocols. The connection interface may be based onUSB, a wireless network or an Ethernet, etc. In one embodiment, host 503may be a Mac or Windows based computer running application software suchas, for example, an iTune application from Apple Inc. Host 503 may beconnected to a central server 507 through the network 505 such as widearea network (e.g., Internet) or local area network (e.g., Intranet orpeer-to-peer network). In one embodiment, central server 507 may bebased on a publicly accessible web server. Alternatively, server 507 maybe an Intranet or local server.

FIG. 6 is a flow diagram illustrating an embodiment of a process tosecurely recover an operating environment from a host to a device. Forexample, process 600 may be performed by systems as shown in FIGS. 1and/or 5. In one embodiment, the processing logic of process 600 maysend a status to a host computer indicating a device being in a recoverymode at block 601. The device may enter the recovery mode in response toa failure to verify a code image. The host computer may be coupled to adevice performing process 600 as shown in FIG. 5. In one embodiment, thestatus may include a product ID and/or a vendor ID. The host computermay prepare a code image to recover the connected device based on thereceived status. In one embodiment, the code image may be retrieved froma central server computer by the host computer connected over a networksuch as network 505 as shown in FIG. 5. At block 603, according to oneembodiment, the processing logic of process 600 may receive the codeimage from the host computer into a memory component of a device, suchas memory 103 as shown in FIG. 1. The processing logic of process 600may receive an instruction from the host computer to execute thereceived code image at block 605. In one embodiment, process 600 may becontrolled by recovery software running on the host computer, such asiTune running in a MAC based computer.

According to one embodiment, at block 607, the processing logic ofprocess 600 may extract a certificate accompanying the code imagereceived in the memory of the device. The code image may be a LLB, aniBoot and/or a Kernelcache as shown in FIG. 2. The code image may beencrypted according to public key cryptography such as RSA (Ralph ShamirAdelman) public key cryptography. The certificate may include a keybased on X.509 standard. At block 609, the processing logic of process600 may verify the certificate according to the code stored in a secureROM of the device such as code 115 shown in FIG. 1. In one embodiment,the processing logic of process 600 may certify a chain of certificatesto verify the extracted certificate with a root certificate as the lastcertificate in the chain. The processing logic of process 600 mayretrieve certificates from the connected host computer. In oneembodiment, the root certificate may be verified based on thefingerprint stored in a secure ROM of the device, such as fingerprint123 as shown in FIG. 1. The root certificate may be issued by Apple Inc.If the verification fails, the processing logic of process 600 mayreturn the device back to DFU mode to be recovered at block 613.

If the certificate from the code image is successfully verified, theprocessing logic of process 600 may continue the recovery process atblock 615 to decrypt the code image based on the key included in theverified certificate. At block 617, the processing logic of process 600may derive a hash signature from the code image based on a UID stored ina secure ROM of the device, such as UID 119 as shown in FIG. 1. In oneembodiment, the hash signature may be obtained, for example, accordingto the process as shown in FIG. 4. At block 619, the processing logic ofprocess 600 may sign the derived signature into the code image. In oneembodiment, the derived signature may be signed as a header value of thecode image. The processing logic of process 600 may store the signedcode image into a storage of the device at block 621, such as, forexample, storage 109 shown in FIG. 1. In one embodiment, a signed codeimage may be stored to repair another code image failed to be verifiedin the device. In one embodiment, the code image may be executed beforebeing stored into a storage of the device. In another embodiment, thecode image may be stored into the storage of the device after beingsuccessfully executed.

FIG. 7 is a state diagram illustrating an embodiment of a process toperform secure recovery of an operating environment from a host to adevice. For example, states 700 may represent certain operating statesof systems as shown in FIGS. 1 and/or 5. In one embodiment, a device mayenter an initial state Boot 701 to start a boot process. Instructionsstored in a secure ROM of the device may be executed during state Boot701. In one embodiment, during state Boot 701, a low level boot programsuch as LLB 229 shown in FIG. 2 may be located within the device. Thelow level boot program may be located and loaded into a memory componentof the device. In one embodiment, the located low level boot program maybe verified to be a trusted code image according to a process such asdescribed at block 305 of FIG. 3. If the low level boot program issuccessfully located and verified, state 700 may enter state LLB 703from state Boot 701 according to transition Success 711. Otherwise,according to one embodiment, state 700 may enter state Recovery1 717through transition DFU 713 as the device enters a DFU mode.

During state Recover1 717, the device may be coupled with a hostcomputer to perform a recovery process such as shown in FIG. 5. In oneembodiment, the device may publish a status based on state Recovery1717. The host computer may send a code image corresponding to the statusreceived from the device. In one embodiment, the code image may be anLLB 229 as shown in FIG. 2. The device may perform a chain ofcertifications to verify the received code image is trusted based on aUID and a fingerprint stored inside a secure ROM of the device such asUID 119 and fingerprints 123 of FIG. 1. The chain of certifications maybe performed based on a process similar to process 600 at block 609 inFIG. 6. If the code image is successfully loaded and verified, in oneembodiment, the state of the device may be transitioned from stateRecovery1 717 to state LLB 703 through transition Load 715.

In one embodiment, during state LLB 703, the device may execute theverified low level boot program (e.g., LLB or low level library asdescribed above) to locate another boot image such as iBoot 231 shown inFIG. 2 within the device. The boot image may be located and loaded intoa memory component of the device during state LLB 703. In oneembodiment, the boot image may be verified to be a trusted code imageaccording to a process such as described at block 305 of FIG. 3. If theboot image is successfully located and verified, state 700 may enterstate iBoot 705 from state LLB 703. Otherwise, according to oneembodiment, state 700 may enter state Recovery2 719 as the device entersa DFU mode.

During state Recover2 719, the device may be coupled with a hostcomputer to perform a recovery process such as shown in FIG. 5. In oneembodiment, the device may publish a status based on state Recovery2719. The host computer may send a code image corresponding to the statusreceived from the device at state Reovery2 719. In one embodiment, thecode image may be an iBoot 231 as shown in FIG. 2. The device mayperform a chain of certifications to verify the received code image istrusted based on a UID and a fingerprint stored inside a secure ROM ofthe device such as UID 119 and fingerprints 123 of FIG. 1. The chain ofcertifications may be performed based on a process similar to process600 at block 609 in FIG. 6. If the code image is successfully loaded andverified, in one embodiment, the state of the device may be transitionedfrom state Recovery2 719 to state Kernelcache 707.

During state iBoot 705, according to one embodiment, the device mayexecute the verified boot program to locate a kernel image such asKernelcache 233 shown in FIG. 2 within the device. The kernel image maybe located and loaded into a memory component of the device during stateiBoot 705. In one embodiment, the kernel image may be verified to be atrusted code image according to a process such as described at block 305of FIG. 3. If the kernel image is successfully located and verified,state 700 may enter state Kernelcache 707 from state iBoot 705.Otherwise, according to one embodiment, state 700 may enter stateRecovery3 721 as the device enters a DFU mode.

During state Recover3 721, the device may be coupled with a hostcomputer to perform a recovery process such as shown in FIG. 5. In oneembodiment, the device may publish a status based on state Recovery3721. The host computer may send a code image corresponding to the statusreceived from the device at state Reovery3 721. In one embodiment, thecode image may be a kernel image such as Kernelcache 233 of FIG. 2. Thedevice may perform a chain of certifications to verify the received codeimage is trusted based on a UID and a fingerprint stored inside a secureROM of the device such as UID 119 and fingerprints 123 of FIG. 1. Thechain of certifications may be performed based on a process similar toprocess 600 at block 609 in FIG. 6. If the code image is successfullyloaded and verified, in one embodiment, the state of the device may betransitioned from state Recovery3 721 to state Kernelcache 707.

In one embodiment, during state Kernelcache 707, the device may executea verified kernel image to locate operating system components such as235 in FIG. 2. A located operating system component may be loaded into amemory component of the device to be verified as trusted according tothe execution of the verified kernel image during state Kernelcache 707.In one embodiment, the kernel image may determine whether an operatingsystem component is trusted according to a process such as described atblock 305 of FIG. 3. A privileged mode may be assigned to a trustedoperating system component based on the kernel image for accessinghardware level interface of the device, such as UID 119 or GID 123 ofFIG. 2. An operating system component without a signed signature may beassigned a user mode privilege during state Kernelcache 707. In oneembodiment, an operating system component may not be permitted to accesshardware level interface of the device. After the operation system issuccessfully loaded in to the memory of the device, state 700 maytransition from state Kernelcache 707 to state OS 709 corresponding to anormal operating environment. A user application may start running inassigned user mode during state OS 709. In one embodiment, a device atstate Kernelcache 707 may enter a DFU mode to receive a root image froma coupled host computer to restore or update operating system componentsfor the device.

FIG. 8 is a flow diagram illustrating one embodiment of a process tosecurely restore software components from a host to a device. Forexample, process 800 may be performed by systems as shown in FIGS. 1and/or 5. In one embodiment, the processing logic of process 800 mayconfigure the device as a boot device at block 801. A boot device may bein a DFU mode. A user may press a button of a device during a normalbooting of the device to configure the boot device into DFU mode. Theprocessing logic of process 800 may be activated intentionally by adevice user to repair damaged application software, to update oldapplication software, to install a firmware component or to manageexisting user data stored in the device. At block 803, according to oneembodiment, the processing logic of process 800 may establish a networkconnection with a host computer. The device and the host computer may beconnected through a network interface such as shown in FIG. 5. A restoresoftware, such as iTune from Apple Inc., may be running on the hostcomputer to communicate with the device. The processing logic of process800 may publish a status to the host computer to identify the device asin a restore mode via the network connection at block 805. A device in arestore mode may also be in a DFU mode. In one embodiment, the statusmay include information such as device ID and/or product ID. The statusmay include an indication of required code images from the hostcomputer.

At block 807, according to one embodiment, the processing logic ofprocess 800 may receive boot images from the connected host computer.The boot images may include a boot loader such as LLB 229 or iBoot 231as shown in FIG. 2. In one embodiment, the boot images may include akernel cache such as Kernelcache 233 in FIG. 2. A boot image may bereceived based on the status published to the host computer at block805. In one embodiment, the boot images may be loaded into a memorycomponent of the device such as memory 103 of FIG. 1. The processinglogic of process 800 may receive a root image from the connected hostcomputer at block 809. A root image may be a RAM disk based on astripped down version of operating system for the device. In oneembodiment, the root image may include a restore application.

At block 811, according to one embodiment, the processing logic ofprocess 800 may receive a command from the connected host computer toexecute a received boot image. The boot image may be a boot loader. Inresponse, the processing logic of process 800 may verify the boot imageis trusted at block 813. In one embodiment, the processing logic ofprocess 800 may perform a process such as shown in FIG. 6 to determinewhether the boot image could be trusted based on a secure ROM chip suchas chip 105 in FIG. 1. In one embodiment, the processing logic ofprocess 800 may verify a Kernelcache received from the connected hostcomputer is trusted by executing a trusted boot image at block 815. Theprocessing logic of process 800 may perform a process such as shown inFIG. 6 to determine whether the Kernelcache could be trusted based on aroot certificate fingerprint stored in the device such as Fingerprints123 in FIG. 1. At block 817, the processing logic of process 800 mayverify a restore daemon application from the root image is trusted byexecuting the trusted Kernelcache. In one embodiment, the processinglogic of process 800 may determine the restore daemon application couldbe trusted by verifying the root image is a trusted code image. Theprocessing logic of process 800 may perform a process such as shown inFIG. 6 to determine whether the restore daemon application included inthe root image could be trusted.

At block 819, according to one embodiment, the processing logic ofprocess 800 may receive and execute commands calls from the hostcomputer via the restore daemon application to perform softwarerestoration operations. In one embodiment, software restorationoperations may include the partitioning and formatting of file systemsof mass storage, device level restoration or loading new firmware intothe device. The processing logic may start the OS included in the rootimage to launch the restore daemon in the device. In one embodiment,only the reduced portion or minimal portion of the OS is started. Thisdaemon application may communicate with the restore software running inthe connected host computer based on an XML (Extensible Markup Language)protocol. In one embodiment, the restore daemon may allow the restoresoftware running on the host computer to issue arbitrary commands to beexecuted by the device. The commands may include executing auxiliarytools included in the RAM disk and/or making library calls. In oneembodiment, the commands may cause replacing the entire set of softwarestored in the mass storage and the programmable ROM of the device. Atblock 821, the processing logic of process 800 may receive a commandfrom the connected host computer to restart the device. In response, theprocessing logic of process 800 may reset the device. Subsequently, thedevice may reboot from the operating system stored in the mass storageof the device.

FIG. 9 is a flow diagram illustrating one embodiment of a process tosecurely update an application from a host to a device. For example,process 900 may be performed by systems as shown in FIGS. 1 and/or 5.The processing logic of process 900 may establish a network connectionwith a host computer at block 901. The device and the host computer maybe connected through a network interface such as shown in FIG. 5. Updatesoftware, such as iTune from Apple Inc., may be running on the hostcomputer to communicate with the device. The processing logic of process800 may publish a status to the host computer to identify the device asin an update mode via the network connection at block 803. A device inan update mode may also be in a DFU mode. In one embodiment, the statusmay include information such as device ID and/or product ID. The statusmay include an indication of a version ID of an application currentlyresiding in the device.

At block 905, according to one embodiment, the processing logic ofprocess 900 may receive a code images from the connected host computer.The code image may include a software package related to an updatedversion of an application based on the version ID from the publishedstatus received by the host computer at block 903. In one embodiment,the code image may be loaded into a memory component of the device suchas memory 103 as shown in FIG. 1. At block 907, according to oneembodiment, the processing logic of process 900 may verify the codeimage is trusted. The processing logic of process 900 may perform aprocess such as shown in FIG. 6 to determine whether the code imagecould be trusted based on a fingerprint of a root certificate in asecure ROM chip such as Fingerprints 123 in chip 105 shown in FIG. 1. Inone embodiment, the processing logic of process 900 may execute theverified code image to unpack files from the included software packageand lay down those files inside the file system of the device at block909. A file from the software package may be a new file or an updatedversion of an existing file for the device. The processing logic ofprocess 900 may perform an integrity check against a file from thesoftware package to ensure the file is not compromised or corruptedbefore laying down the file into the file system of the device. In oneembodiment, the integrity of a file may be checked based on a signatureaccording to a hash on the file content. At block 911, the processinglogic of process 900 may reset the device to reboot from the operatingsystem stored inside the device.

FIG. 10 is a flow diagram illustrating one embodiment of a process ofexecuting unverified code image. For example, process 1000 may beperformed by a system as shown in FIG. 1. At block 1001, the processinglogic of process 1000 may disable accessing to a UID of a secure ROM ina device such as UID 119 in FIG. 1. In one embodiment, a trusted codeimage may be configured to turn off accessing to the UID when executed.In another embodiment, a hardware switch of the device may includesettings that turn off accessing to the UID. The access configuration ofthe UID may be specified according to a diagnostic or testingrequirement of the device. The trusted code image may be a boot imageverified by codes inside a secure ROM of a device such as codes 115 inFIG. 1. In one embodiment, the verification may be performed in asimilar process as shown in FIG. 6. The boot image may be LLB 225 oriBoot 227 as shown in FIG. 2. At block 1003, the processing logic ofprocess 1000 may load a code image into a memory component of the devicesuch as RAM 111 of FIG. 1. In one embodiment, the processing logic ofprocess 1000 may load the code image based on a configuration of atrusted code image currently being executed. The code image may beloaded from an external network connection or a mass storage coupled tothe device. In one embodiment, the code image may include diagnosticsoftware for the device.

At block 1005, the processing logic of process 1000 may activate aprogramming interface to access device hardware by executing the codeimage. Device hardware may be accessed by reading or setting values ofdevice hardware parameters. The processing logic may derive a hash valuefrom the loaded code image to determine if the code image is notcompromised (e.g., not corrupted). The determination may be based on acomparison between the derived hash value and a header value from thecode image. In one embodiment, the processing logic of process 1000 maydetermine a UID is inactive at block 1007. The programming interface toaccess device hardware may cause an execution of codes inside a secureROM such as codes 115 in FIG. 1 for determining whether the UID isactive or not. At block 1009, the processing logic of process 1000continues executing the code image without accessing the devicehardware. In one embodiment, accessing to the device hardware may becontrolled by the codes inside a secure ROM of a device based on whetherthe associated UID is active or not. In another embodiment, user datamay not be accessible when a UID is not active. Even when an unverifiedapplication is loaded and executed in a device, no device hardware oruser sensitive data may be compromised if the UID is not active.

FIG. 11 is a block diagram illustrating one embodiment of systemcomponents for verifying compatible trusts in secure system booting.System 100 may reside in one or more chips inside a device as shown inFIG. 1. In one embodiment, a plurality of code images may be stored inmemory components of system 100 for securely booting system 100 into anoperating environment. A code image may be an LLB 1107 or an iBoot 1105stored in a NOR flash memory 111 as shown in FIG. 1. Another code imagemay include a KernelCache 1109 stored in a NAND flash memory 103 asshown in FIG. 1. A code image may include executable codes. In oneembodiment, a code image may be associated with an epoch number such asepoch number-1 1111 of KernelCache 1109. An epoch number may represent aversion of trust established on the associated code image. In oneembodiment, an epoch number may be stored as a header value in theassociated code image. The epoch number of a code image may beaccessible during verification operations by another code image, such asoperations at block 305 of process 300 of FIG. 3.

A mass storage 109 as shown in FIG. 1 may include a system partition1101 and a data partition 1103. In one embodiment, a system partition1101 may store operating system components and application codes for adevice supporting system 100. A data partition 1103 may store userspecific data such as address books, notes, music downloads andcalendars, which may be accessed when system 100 executes codes loadedfrom a system partition 1101. In one embodiment, a system partition 1101may be updated without changing data partition 1103. A mass storage 109may include a storage header 1117 storing values indicating anassociated hardware status. In one embodiment, storage headers 117 mayinclude a table of contents describing which data bits are still viablefor storing data in a mass storage 109. Access to storage headers 1117may be permitted via secure operations performed during a secure bootingprocess, such as process 300 of FIG. 3. In one embodiment, values insidestorage headers 1117 may not be altered by processes other than securebooting operations.

According to another embodiment, system 100 may include hardwarecomponents and trusted code images compatible with each other forbooting into an operating environment. A code image LLB 1107 may beverified as trusted by secure ROM 115 based on UID 119 and GID 121. Acode image iBoot 1105 may be verified as trusted by another code imageLLB 1107. A code image iBoot 1105 may be determined to be compatible intrust by another code image LLB 1107 when epoch number-3 1113 of LLB1107 satisfies a predetermined relationship (e.g. less than or equal to)another epoch number-2 1115 of iBoot 1105. A code image KernalCache 1109may be verified as trusted and determined as compatible in trust byanother code image iBoot 1105 when epoch number-2 1115 of iBoot 1105 isnot greater than epoch number-1 1111 of KernelCache 1109. Additionally,Storage 109 may be verified as compatible with KernelCache 1109 whenepoch number-4 1119 of Storage 109 satisfies a predeterminedrelationship (e.g. less than or equal to) with epoch number-1 1111 ofKernelCache 1109.

In one embodiment, trusted code images in system 100 may mutually verifya trust according to associated epoch numbers. For example, a verifiedcode image iBoot 1105 by another code image LLB 1107 may determinewhether LLB 1107 is trusted based on a predetermined relationship (e.g.less than or equal to) between epoch number-3 1113 of LLB 1107 and epochnumber-2 of iBoot 1115. A code image may pass an associated epoch numberto another verified code image executed by the code image. For example,LLB 1107 may pass associated epoch number-3 1113 to verified code imageiBoot 1115 when executing iBoot 1115.

Thus, these components of system 100 may be sequentially verified andloaded to establish an operating environment for system 100, where alower level component verifies an immediate higher level component inthe chain. If any one of the components in the chain fails to beverified, the failed component will not be loaded and thus, theoperating environment may not fully established (e.g., certainfunctionalities may not operate). For example, when system 100 ispowered up, the boot code within the secure ROM 115 is executed. Theboot code finds and verifies LLB 1107 using the embedded UID 119 and/orGID 121. Once the LLB 1107 has been authenticated, an epoch number 1113of the LLB 1107 is revealed from the code image. The LLB 1107 thenauthenticates iBoot image 1105 and obtains the epoch number 1115.Although iBoot 1105 has been successfully authenticated and/or verifiedby LLB 1107, it may not be loaded if its corresponding epoch number doesnot satisfy the epoch number of LLB 1107. The LLB 1107 verifies theepoch number of iBoot by comparing the epoch number of LLB 1107 and theepoch number of iBoot 1105 to ensure that both epoch numbers satisfy apredetermined relationship. If both epoch numbers satisfy thepredetermined relationship, the iBoot 1105 will be loaded by the LLB1107. Likewise, the iBoot 1105 authenticates and verifies the epochnumber of kernel cache 1109, and executes/loads the kernel cache 1109.The kernel cache 1109 in turn authenticates and verifies the rest of thesystem components of the operating system in sequence. Therefore, evenif a hacker finds a vulnerability in a code image that could be used toattack the rest of the system, the vulnerability could not be used inanother system where its epoch number is not accepted. As a result,target components for a security vulnerability are limited to systems ofcurrent or older epochs.

FIG. 12 is a block diagram illustrating one embodiment of systemcomponents for validating trust compatibility with an operating coderunning in a separate processor. System 1200 may include two processorsin a single device, such as a main processor (e.g. a microprocessor or aCPU) in a chip 105 including, for example, an application processor or amain processor, as shown in FIG. 11 and a separate processor (e.g. acommunication processor) such as a base band processor 1211. A base bandprocessor 1211 may provide a main processor in chip 105 functionalitiesto interface with radio and/or wireless communication environments via awireless interface 1213. A connection interface 101 associated with chip105 may be coupled directly or indirectly with a wireless interface 1213associated with a base band processor 1211. In one embodiment, a baseband processor 1211 may execute codes loaded from a base band storage1201 separated from a storage 109 associated with chip 105. A base bandprocessor 1211 may be coupled with chip 105 via a local bus orinterconnect.

In one embodiment, a base band storage 1201 may be a flash memorystoring base band boot core 1205, base band software 1209 and epochnumber-5 1203. Base band boot core 1205 may be executed by a base bandprocessor 1211 when booting system 1200 into an operating environment. Abase band processor 1211 may execute base band software 1209 to providebase band or other communication services to chip 105. Both base bandboot core 1205 and base band software 1209 may be associated with epochnumber-5 1203 stored in a base band storage 1201. In one embodiment, anuploading process may update epoch number-5 when loading base band bootcore 1205 into base band storage 1201 during a restoration, recovery, orupdates for system 1200. Epoch number-5 1203 may be accessible by bothbase band boot core 1205 and/or base band software 1209. In oneembodiment, epoch number-5 1203 may be of the same value as epochnumber-4 1119 stored in storage 109 associated with chip 105 of system1200 or alternatively, they may have a predetermined relationship.

FIG. 13 is a flow diagram illustrating one embodiment of a process torevoke a code image without a compatible trust. Process 300 at block 307of FIG. 3 may be performed in accordance with process 1300 by systemssuch as shown in FIGS. 11 and 12. In one embodiment, the processinglogic of process 1300 may retrieve an epoch number associated with acode image at block 1303 if the code image is successfullyverified/authenticated as a trusted code image at block 1301. If notrust can be established on the code image, the processing logic ofprocess 300 may enter a DFU mode such as DFU mode at block 309 of FIG.3. A code image may be verified as trusted according to process 300 asshown in FIG. 3 based on an UID associated with a device for theprocessing logic of process 1300. An epoch number may be stored withinan associated code image. In one embodiment, an epoch number may beencrypted. Once a trust has been established on an associated codeimage, an encrypted epoch number may be decrypted.

At block 1305, the processing logic of process 1300 may determinewhether an established trust on a code image is compatible with acurrently executed code image, such as code image LLB 1107 of FIG. 11.In one embodiment, the processing logic of process 1300 may compareepoch numbers associated with code images to determine compatibility ofan established trust on a code image. If the retrieved epoch number atblock 1303 associated with the newly verified code image is Et and theepoch number associated with the currently executed code image is Es, inone embodiment, the processing logic may determine the newly verifiedcode image has a compatible trust with the currently executed codedimage if the Et and Es satisfy a predetermined relationship such as, forexample, Et≧Es. At block 1307, if the newly verified code image isdetermined to have an incompatible trust, the processing logic ofprocess 1300 may revoke the established trust of the newly verified codeimage and enter a DFU mode for a device performing process 1300.

At block 1309, in one embodiment, if the newly verified code image isdetermined to have a compatible trust, the processing logic of process1300 may execute the newly verified code image to conduct furthercompatibility check. The newly verified code image may perform reverseverification against a calling code image which has already determined atrust compatibility with the verified code image, for example, accordingto process 1300 at block 1305. The newly verified code image may comparean associated epoch number with an epoch number from a calling imagecode to determine a compatibility according to a predeterminedrelationship, such as, for example, two epoch numbers match each otheror the epoch number from the calling image should not be greater than anepoch number with the newly verified code image. In one embodiment, acalling image code may pass a data structure including an epoch numberto a verified image code when executing the verified image code.

In another embodiment, the newly verified code image may determine if ahardware component of a device is compatible with the newly verifiedcode image. A hardware component may be a mass storage inside thedevice, such as storage 109 of FIG. 11. In one embodiment, a verifiedcode image, such as code image iBoot 1105 of FIG. 11, may executewithout determining if an associated hardware component is compatible.The processing logic of process 1300 may retrieve a hardware epochnumber stored in a location of a hardware component, such as storage 109of FIG. 11. A hardware epoch number may be stored in a predeterminedlocation, such as a header storing a value, e.g. storage header 1117 instorage 109 of FIG. 11, accessible to a verified code image.

The processing logic of process 1300 may compare a hardware epoch numberwith an epoch number associated with a verified code image at block1309. In one embodiment, the processing logic of process 1300 maydetermine a hardware component is not compatible if a retrieved hardwareepoch number is greater than an epoch number Et associated with averified code image. If a hardware component is determined to becompatible at block 1309, the processing logic of process 1300 mayupdate an associated hardware epoch number in a hardware component to beequal to an epoch number Et of a verified code image. For example,storage headers 1117 may be updated with a new epoch number at location1119 of storage 109 in FIG. 11. In one embodiment, updating a headervalue in a storage component in a device may be an exclusive rightbelonging to a verified code image having a compatible trust. Theprocessing logic of process 1300 may enter a DFU mode if a hardwarecomponent is determined not compatible at block 1309. Otherwise, atblock 311, the processing logic of process 1300 may continue executing averified code image to perform booting operations. A device may operatein a trusted state when successfully booted into an operatingenvironment according to process 300 of FIG. 3 including process 1300 ofFIG. 13.

In one embodiment, when executing boot instructions from a Secure ROMsuch as in block 301 of process 300, a certain hardware test points(e.g. via solid states relays, etc.) may be checked to determine if ahardware associated with a device has been altered. If the hardware hasbeen altered, boot instructions may self destruct (e.g., by wiping outthe boot code stored in the ROM) and abort booting process. As a result,the whole device is permanently dead and optionally the owner may berequired to contact a service provider to re-enable the device, e.g.re-burn the boot code into the ROM.

FIG. 14 is a flow diagram illustrating one embodiment of a process torestore an operating environment to a device according to a compatibletrust. For example, process 1400 may be performed by systems as shown inFIGS. 11 and/or 12. In one embodiment, the processing logic of process1400 may configure a boot device in a restore mode connected with a hostcomputer at blocks 801, 803 and 805 similar to the processing logic ofprocess 800 in FIG. 8. At block 1407, in one embodiment, the processinglogic of process 1400 may receive code images from a connected hostcomputer. Code images received may include boot images and a restoreimage. Boot images may be executed to perform secure booting operationsto boot a device into an operating environment, such as code image LLB1107 and code image iBoot 1105 of FIG. 11. A restore image may include akernel cache for an operating system, such as KernelCache 1109 of FIG.11.

At block 1411, in one embodiment, the processing logic of process 1400may verify a received boot image is trusted to start a series of secureoperations to restore a device into a trusted state. The processinglogic of process 1400 may execute secure codes stored inside a secureROM, such as codes 115 of FIG. 2 to verify a loaded boot image. In oneembodiment, a loaded boot image at block 1411 may be an LLB, such ascode image LLB 1107 of FIG. 11. A trusted boot image at block 1411 maybe associated with an epoch number. In one embodiment, secure codes froma secure ROM may be compatible with a verified boot image regardless ofthe associated epoch number. At block 1413, the processing logic ofprocess 1400 may execute a boot image with compatible trust to verifyanother code image, e.g. a boot image or a restore image, and determinewhether a verified code image is compatible in trust. In one embodiment,the processing logic of process 1400 may verify a compatibility with acalling boot image at block 1413 to enforce mutual verification betweentwo boot images, such as between code image LLB 1107 and code imageiBoot 1105 of FIG. 11. In one embodiment, the processing logic ofprocess 1400 may perform verification and determine compatibility basedon epoch numbers associated with code images in a similar way as theprocessing logic of process 1300 in FIG. 13 and the processing logic ofprocess 300 of FIG. 3. For example, a trusted boot image LLB 1107 ofFIG. 11 may verify boot image iBoot 1105 of FIG. 11 as trusted andcompatible according to associated epoch numbers. In one embodiment, theprocessing logic of process 1400 may determine a trusted code image iscompatible if an epoch number associated with the trusted code isavailable, regardless of its value.

At block 1415, in one embodiment, the processing logic of process 1400may execute a restore image which has been verified with a compatibletrust at block 1413 to restore and/or recover an operating system via anincluded kernel cache. For the operating system. In one embodiment, arestore image may execute in the device without receiving commands froma remote host. Executing a kernel cache from a restore image may installbasic operating system components into an associated device. In oneembodiment, executing a kernel cache may update hardware components in adevice, such as reformatting a mass storage, e.g. Storage 109 of FIG.11. In one embodiment, a kernel cache may cause an update on a systempartition of a storage unit, such as System Partition 1101 of FIG. 11,while retaining the contents of a corresponding data partition, such asData Partition 1103 of FIG. 11.

A kernel cache may be associated with an epoch number Ec for verifying acompatibility of a hardware component. In one embodiment, the processinglogic of process 1400 at block 1415 may retrieve a hardware epoch numberEh from a hardware component, such as a header value in a mass storageunit of a device, e.g. Storage Headers 1117 of FIG. 11. The processinglogic of process 1400 may compare a hardware epoch number Eh with theepoch number Ec associated with a kernel cache. If the Ec and Eh satisfya predetermined relationship, such as, for example, Ec is less than Eh,in one embodiment, the processing logic of process 1400 may consider theassociated hardware component and the kernel cache not compatible. If Ecis equal or greater than Eh, for example, in another embodiment, theprocessing logic of process 1400 may consider the hardware component ascompatible. In one embodiment, the processing logic of process 1400 maynot restore a device into a complete operating environment if a hardwarecomponent is found to be not compatible. An incomplete operatingenvironment may be based on an operating system running with reducedfunctionalities. In one embodiment, the processing logic of process 1400may update header values of a compatible hardware component according toan epoch number Ec associated with a kernel cache, such as bumping upthe hardware epoch number stored in a header of a mass storage device tobe equal to Ec. At block 1417, the processing logic of process 1400 maycontinue restoration operations by rebooting a device according to therestored/recovered operating system installed in a mass storage unit ofa device.

FIG. 15 is a flow diagram illustrating one embodiment to verifycompatible trust when providing services to operating environments inseparate processors. Process 1500 may be performed, for example, bysystem 1200 of FIG. 12. In one embodiment, the processing logic ofprocess 1500 may receive a service request from a separate processor,such as a main processor inside Chip 105 of FIG. 12. The processinglogic of process 1500 may be associated with a communication processor,e.g. Base Band Processor 1211 of FIG. 12. In one embodiment, theprocessing logic of process 1500 may receive a radio interface servicerequest from a system bus coupling two separate processors in a singledevice. At block 1503, in one embodiment, the processing logic ofprocess 1500 may send a request to the separate processor to receive anepoch number associated with a current operating environment running inthe separate processor, such as a main processor inside Chip 105 of FIG.12. An operating environment for a processor running an operating systemmay be associated with an epoch number according to system code images,such as LLB 1107, iBoot 1115 or KernelCache 1109 of FIG. 11. In oneembodiment, an operating system may be associated with an epoch numberhaving a value as the smallest one among epochs numbers associated withits boot images, such as epoch number-3 1113, epoch number-2 1115 orepoch number-1 1111 of FIG. 11.

At block 1505, in one embodiment, the processing logic of process 1500may compare a received epoch number with a local epoch number associatedwith a current operating environment running in a local processor todetermine compatibility in trust between operating environments runningin the separate processor and the local processor. A local epoch numbermay be stored in a storage component associated with the localprocessor, such as epoch number-5 1203 of Base Band Storage 1201 asshown in FIG. 12. In one embodiment, a local epoch number may be writteninto a storage unit during system restoration, recovery or updatesaccording to installed boot images for the local processor, such as BaseBand Boot Core 1205 of FIG. 12. In another embodiment, epoch numbers foroperating environments running in a separate processor, such as aprocessor inside Chip 105 of FIG. 12, and a local processor, such asBase Band Processor 1211 of FIG. 12, may be updated during a singletransaction session, such as established via the connection of block 803of FIG. 14, between a remote host and a device including the twoprocessors.

The processing logic of process 1500 may determine compatibility basedon whether a received epoch number and a local epoch number satisfy apredetermined relationship (e.g. greater than or equal to, etc.) In oneembodiment, if an operating environment running in a separate processordoes not have a compatible trust with a local operating environmentrunning in a local processor, such as when a received epoch number isless than a local epoch number, for example, the processing logic ofprocess 1500 may reject the service request at block 1507. Otherwise, atblock 1509, the processing logic of process 1500 may proceed to allocateresources, such as memory or processing capacity, to serve the requestedservice of block 1501. For example, if a base band operating systemrunning in Base Band Processor 1211 of FIG. 12 is with a larger epochnumber than the epoch number associated with a phone operating systemrunning in Chip 105 of FIG. 12, a device running system 1200 of FIG. 12may not have radio interface services provided by the base bandoperating system.

FIG. 16 is a state diagram illustrating an embodiment of a process toperform continued revocation of trusted systems based on epoch numbers.A trusted system may be assigned an epoch number such as 1.0 in trustedstate 1309. A system securely booted into an operating environment, suchas according to process 300 of FIG. 3 and process 1300 of FIG. 13, maybe in a trusted state with an epoch number. A trusted system may remainin a trusted state when installed with additional trusted codes verifiedaccording to a trust verification process such as block 305 of process300 of FIG. 3. A trusted system may be exploited by hackers, such asinstalled with unauthorized software without being verified as trusted.A trusted system at a trusted state, such as state 1609 with epochnumber 1.0, may enter into a hacked state, such as hacked state 1603with epoch number 1.0, when exploited by hackers. In one embodiment, atrusted state or a hacked state with an epoch number may be restoredinto another trusted state with a higher epoch number, such as trustedstate 1607 with epoch number 2.0 restored from either trusted state 1609with epoch number 1 or hacked state 1603 with epoch number 1.0. Trustedstate restorations from a lower epoch number to a higher epoch number,such as Restore 1611 or Restore 1617, may be based on process 1300 ofFIG. 13. In one embodiment, a boot image having a higher epoch numbermay revoke a trust previously established on another boot image having alower epoch number during system restoration, recovery or updates. Arestored trusted state, such as trusted state 1607 with epoch number 2,may be hacked into a hacked state 1601 with epoch number 2. Trustrestorations such as Restore 1613 or Restore 1615 may be performed torestore a system to a trusted state 1605 with epoch number 3, similar toRestore 1611 or Restore 1617.

FIG. 17 shows one example of a data processing system which may be usedwith one embodiment of the present invention. For example, the system1700 may be implemented including a host as shown in FIG. 5. Note thatwhile FIG. 17 illustrates various components of a computer system, it isnot intended to represent any particular architecture or manner ofinterconnecting the components as such details are not germane to thepresent invention. It will also be appreciated that network computersand other data processing systems which have fewer components or perhapsmore components may also be used with the present invention.

As shown in FIG. 17, the computer system 1700, which is a form of a dataprocessing system, includes a bus 1703 which is coupled to amicroprocessor(s) 1705 and a ROM (Read Only Memory) 1707 and volatileRAM 1709 and a non-volatile memory 1711. The microprocessor 1705 mayretrieve the instructions from the memories 1707, 1709, 1711 and executethe instructions to perform operations described above. The bus 1703interconnects these various components together and also interconnectsthese components 1705, 1707, 1709, and 1711 to a display controller anddisplay device 1713 and to peripheral devices such as input/output (I/O)devices which may be mice, keyboards, modems, network interfaces,printers and other devices which are well known in the art. Typically,the input/output devices 1715 are coupled to the system throughinput/output controllers 1717. The volatile RAM (Random Access Memory)1709 is typically implemented as dynamic RAM (DRAM) which requires powercontinually in order to refresh or maintain the data in the memory.

The mass storage 1711 is typically a magnetic hard drive or a magneticoptical drive or an optical drive or a DVD RAM or a flash memory orother types of memory systems which maintain data (e.g. large amounts ofdata) even after power is removed from the system. Typically, the massstorage 1711 will also be a random access memory although this is notrequired. While FIG. 17 shows that the mass storage 1711 is a localdevice coupled directly to the rest of the components in the dataprocessing system, it will be appreciated that the present invention mayutilize a non-volatile memory which is remote from the system, such as anetwork storage device which is coupled to the data processing systemthrough a network interface such as a modem, an Ethernet interface or awireless network. The bus 1703 may include one or more buses connectedto each other through various bridges, controllers and/or adapters as iswell known in the art.

FIG. 18 shows an example of another data processing system which may beused with one embodiment of the present invention. For example, system1800 may be implemented as part of system as shown in FIG. 1. The dataprocessing system 1800 shown in FIG. 18 includes a processing system1811, which may be one or more microprocessors, or which may be a systemon a chip integrated circuit, and the system also includes memory 1801for storing data and programs for execution by the processing system.The system 1800 also includes an audio input/output subsystem 1805 whichmay include a microphone and a speaker for, for example, playing backmusic or providing telephone functionality through the speaker andmicrophone.

A display controller and display device 1807 provide a visual userinterface for the user; this digital interface may include a graphicaluser interface which is similar to that shown on a Macintosh computerwhen running OS X operating system software. The system 1800 alsoincludes one or more wireless transceivers 1803 to communicate withanother data processing system, such as the system 1100 of FIG. 11. Awireless transceiver may be a WiFi transceiver, an infrared transceiver,a Bluetooth transceiver, and/or a wireless cellular telephonytransceiver. It will be appreciated that additional components, notshown, may also be part of the system 1800 in certain embodiments, andin certain embodiments fewer components than shown in FIG. 18 may alsobe used in a data processing system.

The data processing system 1800 also includes one or more input devices1813 which are provided to allow a user to provide input to the system.These input devices may be a keypad or a keyboard or a touch panel or amulti touch panel. The data processing system 1800 also includes anoptional input/output device 1815 which may be a connector for a dock.It will be appreciated that one or more buses, not shown, may be used tointerconnect the various components as is well known in the art. Thedata processing system shown in FIG. 18 may be a handheld computer or apersonal digital assistant (PDA), or a cellular telephone with PDA likefunctionality, or a handheld computer which includes a cellulartelephone, or a media player, such as an iPod, or devices which combineaspects or functions of these devices, such as a media player combinedwith a PDA and a cellular telephone in one device. In other embodiments,the data processing system 1800 may be a network computer or an embeddedprocessing device within another device, or other types of dataprocessing systems which have fewer components or perhaps morecomponents than that shown in FIG. 18.

At least certain embodiments of the inventions may be part of a digitalmedia player, such as a portable music and/or video media player, whichmay include a media processing system to present the media, a storagedevice to store the media and may further include a radio frequency (RF)transceiver (e.g., an RF transceiver for a cellular telephone) coupledwith an antenna system and the media processing system. In certainembodiments, media stored on a remote storage device may be transmittedto the media player through the RF transceiver. The media may be, forexample, one or more of music or other audio, still pictures, or motionpictures.

The portable media player may include a media selection device, such asa click wheel input device on an iPod® or iPod Nano® media player fromApple, Inc. of Cupertino, Calif., a touch screen input device,pushbutton device, movable pointing input device or other input device.The media selection device may be used to select the media stored on thestorage device and/or the remote storage device. The portable mediaplayer may, in at least certain embodiments, include a display devicewhich is coupled to the media processing system to display titles orother indicators of media being selected through the input device andbeing presented, either through a speaker or earphone(s), or on thedisplay device, or on both display device and a speaker or earphone(s).Examples of a portable media player are described in published U.S.patent application numbers 2003/0095096 and 2004/0224638, both of whichare incorporated herein by reference.

Portions of what was described above may be implemented with logiccircuitry such as a dedicated logic circuit or with a microcontroller orother form of processing core that executes program code instructions.Thus processes taught by the discussion above may be performed withprogram code such as machine-executable instructions that cause amachine that executes these instructions to perform certain functions.In this context, a “machine” may be a machine that converts intermediateform (or “abstract”) instructions into processor specific instructions(e.g., an abstract execution environment such as a “virtual machine”(e.g., a Java Virtual Machine), an interpreter, a Common LanguageRuntime, a high-level language virtual machine, etc.), and/or,electronic circuitry disposed on a semiconductor chip (e.g., “logiccircuitry” implemented with transistors) designed to executeinstructions such as a general-purpose processor and/or aspecial-purpose processor. Processes taught by the discussion above mayalso be performed by (in the alternative to a machine or in combinationwith a machine) electronic circuitry designed to perform the processes(or a portion thereof) without the execution of program code.

The present invention also relates to an apparatus for performing theoperations described herein. This apparatus may be specially constructedfor the required purpose, or it may comprise a general-purpose computerselectively activated or reconfigured by a computer program stored inthe computer. Such a computer program may be stored in a computerreadable storage medium, such as, but is not limited to, any type ofdisk including floppy disks, optical disks, CD-ROMs, andmagnetic-optical disks, read-only memories (ROMs), RAMs, EPROMs,EEPROMs, magnetic or optical cards, or any type of media suitable forstoring electronic instructions, and each coupled to a computer systembus.

A machine readable medium includes any mechanism for storing ortransmitting information in a form readable by a machine (e.g., acomputer). For example, a machine readable medium includes read onlymemory (“ROM”); random access memory (“RAM”); magnetic disk storagemedia; optical storage media; flash memory devices; electrical, optical,acoustical or other form of propagated signals (e.g., carrier waves,infrared signals, digital signals, etc.); etc.

An article of manufacture may be used to store program code. An articleof manufacture that stores program code may be embodied as, but is notlimited to, one or more memories (e.g., one or more flash memories,random access memories (static, dynamic or other)), optical disks,CD-ROMs, DVD ROMs, EPROMs, EEPROMs, magnetic or optical cards or othertype of machine-readable media suitable for storing electronicinstructions. Program code may also be downloaded from a remote computer(e.g., a server) to a requesting computer (e.g., a client) by way ofdata signals embodied in a propagation medium (e.g., via a communicationlink (e.g., a network connection)).

The preceding detailed descriptions are presented in terms of algorithmsand symbolic representations of operations on data bits within acomputer memory. These algorithmic descriptions and representations arethe tools used by those skilled in the data processing arts to mosteffectively convey the substance of their work to others skilled in theart. An algorithm is here, and generally, conceived to be aself-consistent sequence of operations leading to a desired result. Theoperations are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

It should be kept in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the above discussion, itis appreciated that throughout the description, discussions utilizingterms such as “processing” or “computing” or “calculating” or“determining” or “displaying” or the like, refer to the action andprocesses of a computer system, or similar electronic computing device,that manipulates and transforms data represented as physical(electronic) quantities within the computer system's registers andmemories into other data similarly represented as physical quantitieswithin the computer system memories or registers or other suchinformation storage, transmission or display devices.

The processes and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general-purposesystems may be used with programs in accordance with the teachingsherein, or it may prove convenient to construct a more specializedapparatus to perform the operations described. The required structurefor a variety of these systems will be evident from the descriptionbelow. In addition, the present invention is not described withreference to any particular programming language. It will be appreciatedthat a variety of programming languages may be used to implement theteachings of the invention as described herein.

The foregoing discussion merely describes some exemplary embodiments ofthe present invention. One skilled in the art will readily recognizefrom such discussion, the accompanying drawings and the claims thatvarious modifications can be made without departing from the spirit andscope of the invention.

1. A computer implemented method for establishing an operatingenvironment of a device, the method comprising: executing a firstexecutable code image in a memory of a device in an attempt to establishan operating environment of the device, the first executable code imagebeing associated with a first version number; the first executable codeimage, which when executed from the memory, authenticating a secondexecutable code image, which when successful, to retrieve a secondversion number from the second executable code image; and the first andsecond executable code images mutually verifying compatibility betweenthe first and second code images, wherein the mutual verification iscapable of preventing the second executable code image from being loadedby the first executable code image if the first version number and thesecond version number do not satisfy a predetermined relationship andwherein the mutual verification interrupts execution of the secondexecutable code image if the first and second version numbers do notsatisfy the predetermined relationship and the second executable codeimage is loaded by the first executable code image.
 2. The method ofclaim 1, wherein the second version number of the second executable codeimage is revealed from the second executable code image when the secondexecutable code image is successfully authenticated by the firstexecutable code image.
 3. The method of claim 1, further comprising thefirst executable code image loading the second executable code imageonly if the first version number and the second version number satisfythe predetermined relationship.
 4. The method of claim 3, wherein thesecond code image is loaded for the execution to receive the firstversion number from the first executable code image, and wherein themutual verification comprises: verifying a compatibility with the firstcode image based on the first version number and the second versionnumber; and interrupting the executing the second executable code imageif the compatibility is not verified.
 5. The method of claim 4, whereinthe compatibility is verified according to the predeterminedrelationship.
 6. The method of claim 1, wherein the second executablecode image is prevented from being loaded when the first version numberis higher than the second version number.
 7. The method of claim 1,wherein the predetermined relationship includes matching the firstversion number and the second version number.
 8. The method of claim 6further comprising restoring at least the second executable code imagefrom a host communicatively coupled to the device if the first versionnumber and the second version number satisfy the predeterminedrelationship, the restored second executable code image having a thirdversion number higher than at least one of the first version number andthe second version number.
 9. The method of claim 1, wherein the firstexecutable code image is executed by a boot code stored in a secure ROM(read-only memory) of the device, wherein the boot code is configured toauthenticate the first executable code image using a hardware keyembedded within the device.
 10. The method of claim 1, wherein thedevice is a portable device.
 11. A non-transitory computer-readablestorage medium having instructions stored therein, which when executedby a machine, cause a machine to perform a method for establishing anoperating environment of a device, the method comprising: executing afirst executable code image into in a memory of a device in an attemptto establish an operating environment of the device, the firstexecutable code image being associated with a first version number; thefirst executable code image, which when executed from the memory,authenticating a second executable code image, which when successful, toretrieve a second version number from the second executable code image;and the first and second executable code images mutually verifyingcompatibility between the first and second code images, wherein themutual verification is capable of preventing the second executable codeimage from being loaded by the first executable code image if the firstversion number and the second version number do not satisfy apredetermined relationship and wherein the mutual verificationinterrupts execution of the second executable code image if the firstand second version numbers do not satisfy the predetermined relationshipand the second executable code image is loaded by the first executablecode image.
 12. The computer-readable storage medium of claim 11,wherein the second version number of the second executable code image isrevealed from the second executable code image when the secondexecutable code image is successfully authenticated by the firstexecutable code image.
 13. The computer-readable storage medium of claim11, wherein the method further comprises the first executable code imageloading the second executable code image only if the first versionnumber and the second version number satisfy the predeterminedrelationship.
 14. The computer-readable storage medium of claim 13,wherein the second code image is loaded for the execution to receive thefirst version number from the first executable code image, and whereinthe mutual verification comprises: verifying a compatibility with thefirst code image based on the first version number and the secondversion number; and interrupting the executing the second executablecode image if the compatibility is not verified.
 15. Thecomputer-readable storage medium of claim 11, wherein the secondexecutable code image is prevented from being loaded when the firstversion number is higher than the second version number.
 16. Thecomputer-readable storage medium of claim 11, wherein the secondexecutable code image is prevented from being loaded if the secondversion number cannot be retrieved from the second executable codeimage.
 17. The computer-readable storage medium of claim 15, wherein themethod further comprises restoring at least the second executable codeimage from a host communicatively coupled to the device if the firstversion number and the second version number satisfy the predeterminedrelationship, the restored second executable code image having a thirdversion number higher than at least one of the first version number andthe second version number.
 18. The computer-readable storage medium ofclaim 11, wherein the first executable code image is executed by a bootcode stored in a secure ROM (read-only memory) of the device, whereinthe boot code is configured to authenticate the first executable codeimage using a hardware key embedded within the device.
 19. Thecomputer-readable storage medium of claim 11, wherein the device is aportable device.
 20. A computer-implemented method for establishing anoperating environment of a device, the method comprising: authenticatinga first and second executable images to be loaded into a memory of thedevice in an attempt to establish an operating environment of thedevice; in response to successfully authenticating the first and secondexecutable code images, examining a first version number stored in thefirst executable code image and a second version number stored in thesecond executable code image for a compatibility between the first andsecond executable code images; and mutually verifying the compatibilitybetween the first and second code images based on the first and secondversion numbers, wherein the compatibility is verified if the first andsecond version numbers satisfy a predetermined condition, wherein themutual verification is capable of preventing the second executable codeimage from being loaded if the compatibility is not verified and whereinthe mutual verification interrupts execution of the second executablecode image if the compatibility is not verified and the second codeimage is loaded in the memory.
 21. The method of claim 20, wherein thesecond executable code image is executed only if the second executablecode image is successfully authenticated and the first and secondversion numbers satisfy the predetermined condition.
 22. Acomputer-implemented method, comprising: receiving a plurality ofexecutable code images to be loaded in sequence in order to establish anoperating environment of a portable device; and sequentiallyauthenticating the plurality of executable code images, wherein acurrent executable code image is configured to authenticate a nextexecutable code image in the sequence and upon successfullyauthenticating the next executable code image, to examine a firstversion of the next executable code image, wherein the next executablecode image is configured to examine a second version of the currentexecutable code image, wherein the first and second executable codeimages are configured to mutually verify a compatibility between thecurrent and next executable code images based on whether the first andsecond versions satisfy a predetermined relationship, wherein the mutualverification is capable of preventing the next executable code imagefrom being loaded if the compatibility is not verified and wherein themutual verification interrupts execution of the next executable codeimage if the compatibility is not verified and the next executable codeimage is loaded.